Is There A Solution To The Government's Encryption Problem?

The Australian government is at its dithering best (worst?) when it comes a number of things to do with the digital economy. While the NBN is struggling to deliver really fast services, they did a pretty good job with the national cybersecurity strategy. Which is why their flailing attempts at articulating their views on messaging services that use encryption is so infuriating.

Here’s the government’s problem. For most of the last century, law enforcement had a relatively easy time of it listening in to our phone calls. All they needed was a warrant and a tap on the shoulder of the telco (that they conveniently owned) and they could listen in on whatever they wanted.

Then this pesky thing called progress happened. We got the internet and strong encryption became legal. Jump forward a couple of decades and we can use apps like Signal, WhatsApp or iMessage to commune with whomever we want without any chance of people snooping unless they hack your endpoint devices - something intelligence agencies are pretty good at.

There have been the occasional murmurs from the office of the Attorney General George Brandis, who seems determined to steal former Communications Minister Richard Alston’s trophy as the worlds greatest luddite, that tech companies should build back doors into their systems, as if those would only stay in the “safe hands” of government.

Encryption is an important technology - something the Prime Minister said in parliament today. With messaging service providers not retaining decryption keys, they have no way of giving access to our messages unless they make their platforms less secure.

So, I’m asking the hive mind of Lifehacker readers - is there a way around this conundrum that gives law enforcement a way of accessing encrypted messages that are being used by criminals that doesn’t compromise the right to privacy enjoyed (at least for now) of every Australian citizen?

Comments

No. Even if they force WhatsApp, Apple, Facebook, Google, Blackberry, Whoever else to build in backdoors, there will always be services or other ways to communicate in a secret encrypted way. The only thing this does is make legitimate communications less secure.

Instead of looking at what people are saying, perhaps they should take a good hard look at WHY they're saying it.

You either have privacy or you don't, there is no real in-between, asking telco's and app builders o provide back doors is just plain laughable. If we get any closer to the USA's model though, things will get real Orwellian real fast.

There is no way around it and the language being used around it is confusing people and making them fearful. Encryption is a good thing. If we can't encrypt then say goodbye to internet banking and all the commerce that depends on it. Once traffic is encrypted you can't tell the difference between e-commerce and email. Next thing governments will demand decryption to e-commerce so they can be sure it isn't some new type of encrypted messaging.

The solution is simple, the government has to own the only telecommunications company in the country... they could call it a Telecom and it would own all the hardware in the country, as long as they dont float it on the stock exchange and allow foreign companies into Australia.

This is not the day when that wiring a physical device on a hardline is spying, this is creating software doors in systems that you can't guarantee control.

With software encryption and clouds, even if they had could create this magical unbreakable back door to everything... the terrorists would just make their own version. Its dumb they think its all on facebook and email... this is dark web stuff.

The NSA and CIA have lost more weapons of electronic surveliance to the general population and hackers in the last 20 years its scarey. Wannacry was a US spy agency exploit they had leaked, their "contractors" steal code and then lose it on a regular basis, and you want a single password lying around that can break anyones privacy... you own government cant even properly de-identify a phone list private MP accounts properly.

Our prime minister was a telecommunications minister that had to give Brandis a tutorial on encrypted messaging apps so he wouldnt look like a moron when explaining Metadata. Why is he acting dumb right now!!!

Yes, terrorists don't deserve privacy... there is a system called warrants and probable cause, it already exists along with meta-data, that should be enough to get started.

But if you want to stop terrorism, look at the root cause, lone gunman and suicidal attackers... this isn't an issue of surveillance or religion, this is about investing in proper mental health care and early detection that these people get help, rather than falling victim to drugs / crimes and being brain washed into a cycle of bias and hatred that fuels hate.

ASIO and the Police knew everything about Mahon and Khayre, they were in the system, they were on payroll and bail when they committed their crimes... they were mentally unstable and violent and the police refused to survey them (cost/time/man-power/legal power) or the court just cut them loose. Fix the legal system, fix the law enforcement resources before giving them the problem of Big Data cause at the moment they dont even have the resources to check everyone on their list let alone everyone else you imagine is a terrorist.

Taking a punt at a solution... what if there was a way to offer a single use, duration-limited, single sender decryption key? Something like this:

* All messages sent over a secure messaging system are stored, encrypted, with a different set of keys each day.
* For each conversation, an additional, algorithmically slow, decryption key is generated.
* If the additional key is applied, it decrypts all messages for one sender, for one day, but then irreversibly renders all the other additional decryption keys impotent.

By court order or other national security decree, the key can be handed over and a targeted decryption applied, keeping all other conversations safe. Attempts to apply the key to compromised copies of the message log are rendered ineffective due to the time required to apply the decryption. The key is useless for the next day's conversations, and a new agreement must be made to hand over the next day's key. If the keys are compromised, then only one sender each day looses their security. If the keys and the message logs are compromised, then it's still algorithmically impractical to decrypt more than a few hundred sender's messages per day.

It's got some lose ends that need tidying, but given the current impasse between government's (and concerned citizen's) demands for protection from bad parties, and citizen's demands for privacy, there might be significant motivation to flesh out such a solution.

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

Yesterdays' announcement of the new Samsung Galaxy Fold might not have been as well executed as a famous Steve Jobs reveal but it was every bit as revolutionary. In the same way the iPhone and iPad completely changed what we expected from mobile devices, the Samsung Fold is poised to change the tech world. But while the hardware looks incredible, it's the software I want to focus on. In that brief glimpse, we saw how far iOS has fallen behind Android.

You've now had 24 hours to digest the Samsung Galaxy S10 smartphone and its bevy of game-changing features. If you've decided this phone is for you, pre-ordering from Samsung direct is a pretty smart option. But what if you can't afford to buy one outright?